Mercurial > hg > nginx-tests
annotate ssl_verify_client.t @ 1976:4e79bd25642f default tip
Tests: added test for headers without a colon.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Sat, 11 May 2024 18:56:23 +0300 |
| parents | b72a8c4a1bef |
| children |
| rev | line source |
|---|---|
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
1 #!/usr/bin/perl |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
2 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
3 # (C) Sergey Kandaurov |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
4 # (C) Nginx, Inc. |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
5 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
6 # Tests for http ssl module, ssl_verify_client. |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
7 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
8 ############################################################################### |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
9 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
10 use warnings; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
11 use strict; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
12 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
13 use Test::More; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
14 |
|
1621
fd440d324700
Tests: simplified get_ssl_socket() functions that use Net::SSLeay.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1578
diff
changeset
|
15 use Socket qw/ CRLF /; |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
16 |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
17 BEGIN { use FindBin; chdir($FindBin::Bin); } |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
18 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
19 use lib 'lib'; |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
20 use Test::Nginx qw/ :DEFAULT http_end /; |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
21 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
22 ############################################################################### |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
23 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
24 select STDERR; $| = 1; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
25 select STDOUT; $| = 1; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
26 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
27 my $t = Test::Nginx->new()->has(qw/http http_ssl sni socket_ssl_sni/) |
|
1578
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
28 ->has_daemon('openssl')->plan(13); |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
29 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
30 $t->write_file_expand('nginx.conf', <<'EOF'); |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
31 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
32 %%TEST_GLOBALS%% |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
33 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
34 daemon off; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
35 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
36 events { |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
37 } |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
38 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
39 http { |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
40 %%TEST_GLOBALS_HTTP%% |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
41 |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
42 add_header X-Verify x$ssl_client_verify:${ssl_client_cert}x; |
|
1843
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
43 add_header X-Protocol $ssl_protocol; |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
44 |
|
1383
e5246e5caa31
Tests: use shared session cache in ssl_verify_client for coverage.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1381
diff
changeset
|
45 ssl_session_cache shared:SSL:1m; |
|
e5246e5caa31
Tests: use shared session cache in ssl_verify_client for coverage.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1381
diff
changeset
|
46 ssl_session_tickets off; |
|
e5246e5caa31
Tests: use shared session cache in ssl_verify_client for coverage.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1381
diff
changeset
|
47 |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
48 server { |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
49 listen 127.0.0.1:8080; |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
50 server_name localhost; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
51 |
|
1277
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
52 ssl_certificate_key 1.example.com.key; |
|
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
53 ssl_certificate 1.example.com.crt; |
|
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
54 |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
55 ssl_verify_client on; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
56 ssl_client_certificate 2.example.com.crt; |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
57 } |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
58 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
59 server { |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
60 listen 127.0.0.1:8443 ssl; |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
61 server_name on; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
62 |
|
1277
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
63 ssl_certificate_key 1.example.com.key; |
|
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
64 ssl_certificate 1.example.com.crt; |
|
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
65 |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
66 ssl_verify_client on; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
67 ssl_client_certificate 2.example.com.crt; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
68 } |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
69 |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
70 server { |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
71 listen 127.0.0.1:8443 ssl; |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
72 server_name optional; |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
73 |
|
1277
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
74 ssl_certificate_key 1.example.com.key; |
|
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
75 ssl_certificate 1.example.com.crt; |
|
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
76 |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
77 ssl_verify_client optional; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
78 ssl_client_certificate 2.example.com.crt; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
79 ssl_trusted_certificate 3.example.com.crt; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
80 } |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
81 |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
82 server { |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
83 listen 127.0.0.1:8443 ssl; |
|
1578
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
84 server_name off; |
|
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
85 |
|
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
86 ssl_certificate_key 1.example.com.key; |
|
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
87 ssl_certificate 1.example.com.crt; |
|
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
88 |
|
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
89 ssl_verify_client off; |
|
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
90 ssl_client_certificate 2.example.com.crt; |
|
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
91 ssl_trusted_certificate 3.example.com.crt; |
|
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
92 } |
|
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
93 |
|
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
94 server { |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
95 listen 127.0.0.1:8443 ssl; |
|
1572
f5a3b70c0f2f
Tests: fixed ssl_verify_client.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
96 server_name optional.no.ca; |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
97 |
|
1277
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
98 ssl_certificate_key 1.example.com.key; |
|
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
99 ssl_certificate 1.example.com.crt; |
|
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
100 |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
101 ssl_verify_client optional_no_ca; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
102 ssl_client_certificate 2.example.com.crt; |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
103 } |
|
1277
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
104 |
|
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
105 server { |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
106 listen 127.0.0.1:8443 ssl; |
|
1572
f5a3b70c0f2f
Tests: fixed ssl_verify_client.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
107 server_name no.context; |
|
1277
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
108 |
|
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
109 ssl_verify_client on; |
|
1d7c87dba788
Tests: added test for SSL session remove (ticket #1464).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1260
diff
changeset
|
110 } |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
111 } |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
112 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
113 EOF |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
114 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
115 $t->write_file('openssl.conf', <<EOF); |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
116 [ req ] |
|
1488
dbce8fb5f5f8
Tests: align with OpenSSL security level 2.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1383
diff
changeset
|
117 default_bits = 2048 |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
118 encrypt_key = no |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
119 distinguished_name = req_distinguished_name |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
120 [ req_distinguished_name ] |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
121 EOF |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
122 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
123 my $d = $t->testdir(); |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
124 |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
125 foreach my $name ('1.example.com', '2.example.com', '3.example.com') { |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
126 system('openssl req -x509 -new ' |
|
1220
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1207
diff
changeset
|
127 . "-config $d/openssl.conf -subj /CN=$name/ " |
|
0af58b78df35
Tests: removed single quotes from system() calls.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1207
diff
changeset
|
128 . "-out $d/$name.crt -keyout $d/$name.key " |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
129 . ">>$d/openssl.out 2>&1") == 0 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
130 or die "Can't create certificate for $name: $!\n"; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
131 } |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
132 |
|
1260
eadd24ccfda1
Tests: postponed startup in certain ssl certificate tests on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1220
diff
changeset
|
133 sleep 1 if $^O eq 'MSWin32'; |
|
eadd24ccfda1
Tests: postponed startup in certain ssl certificate tests on win32.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1220
diff
changeset
|
134 |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
135 $t->write_file('t', 'SEE-THIS'); |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
136 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
137 $t->run(); |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
138 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
139 ############################################################################### |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
140 |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
141 like(http_get('/t'), qr/x:x/, 'plain connection'); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
142 like(get('on'), qr/400 Bad Request/, 'no cert'); |
|
1572
f5a3b70c0f2f
Tests: fixed ssl_verify_client.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
143 like(get('no.context'), qr/400 Bad Request/, 'no server cert'); |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
144 like(get('optional'), qr/NONE:x/, 'no optional cert'); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
145 like(get('optional', '1.example.com'), qr/400 Bad/, 'bad optional cert'); |
|
1572
f5a3b70c0f2f
Tests: fixed ssl_verify_client.t with LibreSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1488
diff
changeset
|
146 like(get('optional.no.ca', '1.example.com'), qr/FAILED.*BEGIN/, |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
147 'bad optional_no_ca cert'); |
|
1578
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
148 like(get('off', '2.example.com'), qr/NONE/, 'off cert'); |
|
f55d25e08b3e
Tests: added "ssl_verify_client off" tests (ticket #2008).
Sergey Kandaurov <pluknet@nginx.com>
parents:
1572
diff
changeset
|
149 like(get('off', '3.example.com'), qr/NONE/, 'off cert trusted'); |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
150 |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
151 like(get('localhost', '2.example.com'), qr/SUCCESS.*BEGIN/, 'good cert'); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
152 like(get('optional', '2.example.com'), qr/SUCCESS.*BEGI/, 'good cert optional'); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
153 like(get('optional', '3.example.com'), qr/SUCCESS.*BEGIN/, 'good cert trusted'); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
154 |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
155 SKIP: { |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
156 skip 'Net::SSLeay version >= 1.36 required', 1 if $Net::SSLeay::VERSION < 1.36; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
157 |
|
1843
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
158 TODO: { |
|
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
159 local $TODO = 'broken TLSv1.3 CA list in LibreSSL' |
|
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
160 if $t->has_module('LibreSSL') && test_tls13(); |
|
1968
b72a8c4a1bef
Tests: CA list handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1865
diff
changeset
|
161 local $TODO = 'no TLSv1.3 CA list in Net::SSLeay (LibreSSL)' |
|
b72a8c4a1bef
Tests: CA list handling with Net::SSLeay with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1865
diff
changeset
|
162 if Net::SSLeay::constant("LIBRESSL_VERSION_NUMBER") && test_tls13(); |
|
1843
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
163 |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
164 my $ca = join ' ', get('optional', '3.example.com'); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
165 is($ca, '/CN=2.example.com', 'no trusted sent'); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
166 |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
167 } |
|
1843
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
168 } |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
169 |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
170 like(get('optional', undef, 'localhost'), qr/421 Misdirected/, 'misdirected'); |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
171 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
172 ############################################################################### |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
173 |
|
1843
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
174 sub test_tls13 { |
|
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
175 get('optional') =~ /TLSv1.3/; |
|
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
176 } |
|
818e6d8c43b5
Tests: LibreSSL does not send CA lists with TLSv1.3.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1819
diff
changeset
|
177 |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
178 sub get { |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
179 my ($sni, $cert, $host) = @_; |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
180 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
181 $host = $sni if !defined $host; |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
182 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
183 my $s = http( |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
184 "GET /t HTTP/1.0" . CRLF . |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
185 "Host: $host" . CRLF . CRLF, |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
186 start => 1, |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
187 SSL => 1, |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
188 SSL_hostname => $sni, |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
189 $cert ? ( |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
190 SSL_cert_file => "$d/$cert.crt", |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
191 SSL_key_file => "$d/$cert.key" |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
192 ) : () |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
193 ); |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
194 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
195 return http_end($s) unless wantarray(); |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
196 |
|
1865
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
197 # Note: this uses IO::Socket::SSL::_get_ssl_object() internal method. |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
198 # While not exactly correct, it looks like there is no other way to |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
199 # obtain CA list with IO::Socket::SSL, and this seems to be good |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
200 # enough for tests. |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
201 |
|
0e1865aa9b33
Tests: reworked http SSL tests to use IO::Socket::SSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
1843
diff
changeset
|
202 my $ssl = $s->_get_ssl_object(); |
|
1114
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
203 my $list = Net::SSLeay::get_client_CA_list($ssl); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
204 my @names; |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
205 for my $i (0 .. Net::SSLeay::sk_X509_NAME_num($list) - 1) { |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
206 my $name = Net::SSLeay::sk_X509_NAME_value($list, $i); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
207 push @names, Net::SSLeay::X509_NAME_oneline($name); |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
208 } |
|
c5df4742ad40
Tests: more http/stream ssl_verify_client tests borrowed from mail.
Sergey Kandaurov <pluknet@nginx.com>
parents:
1070
diff
changeset
|
209 return @names; |
|
932
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
210 } |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
211 |
|
f9ab0aa6e14e
Tests: simple ssl_verify_client tests.
Sergey Kandaurov <pluknet@nginx.com>
parents:
diff
changeset
|
212 ############################################################################### |